Running a Tor relay on your QNAP NAS

Each year I watch the talks at the Chaos Communication Congress and feel especially inspired by @ioerror and @RogerDingledine talking about the Tor network. “The Onion Router” (Tor) is an Internet anonymity tool that allow to establish network connections without the recipient knowing who his communication partner is. More information why Tor is increasingly important in todays world of mass surveillance can be found in the following resources:

The Tor network is based on several relay nodes that will simply forward traffic. Regular relays forward only within the Tor network and are generally ok to run. Exit nodes are used to connect the Tor network to the regular Internet. However, since also bad people are using the Tor network, those bad people may than do bad things using the IP address of the exit node. Therefore, you have to think twice before actually running an exit node on your NAS.

If you are convinced, that running a Tor relay on your QNAP NAS is worth the time, then please read on. Otherwise, please consider contributing to Tor in another way.

Installing OptWare

To do the following, you will need to have “OptWare” installed. Do that in the “QPKG Center” in the QNAP Webinterface. After installing it, you have to enable it. Furthermore, please enable the SSH access to your device.

Setting up the Build Environment

To build your own code on the QNAP, you will need compilers and other handy stuff. So first of all, log into your NAS via SSH:

This will take a while, but it is worth the wait. Now, I had to do a couple of additional steps to get anything to build.

Fix automake to avoid using threads in Perl

Open /opt/share/automake-1.12/Automake/Config.pm and set perl_threads to 0.

$ vim /opt/share/automake-1.12/Automake/Config.pm

Go to line 35 and change it to match this:

our $perl_threads = 0;

Fix autoconf to use the correct path to automake

Open /opt/bin/automake and modify the path to automake.

$ vim /opt/bin/automake

And now change line 5228 to match the following:

my $traces = ($ENV{AUTOCONF} || '/opt/bin/autoconf') . " ";

Set a proper working path

This step is necessary, since the default PATH setting lets all tools look first in /bin and /sbin. However, the busybox tools setting there do not have the functionality that we need and many build scripts, etc. will fail. Therefore, open /etc/profile in your editor and navigate to line 52.

$ vim /etc/profile

Make sure, that /opt/bin and /opt/sbin are prepended to the PATH. To put it simple, make the line look like this:

export PATH=/opt/bin:/opt/sbin:$PATH

Install the Tor dependencies

Tor is based on crypto, so it does not openssl. Furthermore, libevent seems to the something Tor definitely needs.

ipkg install openssl-dev openssl libevent

Download Tor

Download it to your computer and then copy it over to your NAS. Please do not use wget on your NAS to download tor directly. The NAS does not have the ca-certificates installed which means that it cannot verify the server identity. Therefore, you cannot be sure if the downloaded version of tor is genuine. Since you can never be sure, the proper way is to verify the signature of the downloaded tor archive.

Once you have tor on your NAS, extract it:

tar -xvzf tor-0.2.4.20.tar.gz

Build Tor

Building tor is simple. After installing the depedencies, configure should be run as follows:

Why should you use the –disable-gcc-hardening option while it obviously makes things worse? By default, tor will add the compiler flags -fstack-protector-allwhich is good. Unfortunately, gcc 4.2 and 4.3 have a bug that makes binaries compiled with -fstack-protector-all compiled on ARM processors segfault when started. To overcome this, we have to give the –disable-gcc-hardening to the tor configure process.

If your configure run went well, simply build and install tor:

PATH=/opt/bin:${PATH} make
PATH=/opt/bin:${PATH} make install

Set up port forwarding

Usually, your NAS is behind your home router that NATs your network. So, we need to forward connections coming from the internet to the newly setup Tor node. How you do that depends on your router. In any case, forward port 9001 to the IP of your NAS. For my (german) AVM Fritz Box the setup looks like this:

Configure your Tor relay

Create the file /opt/etc/tor/torrc and copy&paste the following example config file:

ContactInfo gives the Tor community a way to reach you in case there is a problem with your relay.

Address specifies the DNS name of your router. In case you have setup a dynamic DNS service, please enter the name here.

RelayBandwidthRate is the bandwidth in kilobytes per second that you want to devote to Tor. Please keep in mind, that usually the upstream of your home DSL connection is the bottleneck and you should not give everything to Tor!

ORPort is the port you setup the port forwarding for. You can use another port, but this has to be reflected in the torrc config and in the port forwarding in your home router.

Create a separate user for tor

Tor should never run as the root user and it actually warns you if you still do it. To be safe, we will create a separate user for the Tor daemon:

If Tor finds a problem for example with your port forwarding it will tell you.

Making Tor start automatically on startup

First of all you will need a file that is automatically executed when your QNAP NAS boots. I have already explained how this can be done in another blog post. Once you have your /share/MD0_DATA/.qpkg/autorun/autorun.sh file, simply add the following line to it:

su tor -c tor

All that is left to do know is to make Tor run as a daemon. To do this, edit your /opt/etc/tor/torrc and remove the # from the “RunAsDaemon” line: